add auth validation

Author: blublinsky

src/app/endpoints/query_v2.py

@@ -22,7 +22,7 @@
 from authorization.middleware import authorize
 from configuration import AppConfig, configuration
 from constants import DEFAULT_RAG_TOOL
-from models.config import Action
+from models.config import Action, ModelContextProtocolServer
 from models.requests import QueryRequest
 from models.responses import (
     ForbiddenResponse,

src/models/config.py

@@ -2,6 +2,7 @@
 
 # pylint: disable=too-many-lines
 
+import logging
 from pathlib import Path
 from typing import Optional, Any, Pattern
 from enum import Enum
@@ -32,6 +33,8 @@
 from utils import checks
 from utils.mcp_auth_headers import resolve_authorization_headers
 
+logger = logging.getLogger(__name__)
+
 
 class ConfigurationBase(BaseModel):
     """Base class for all configuration models that rejects unknown fields."""
@@ -1641,6 +1644,45 @@ class Configuration(ConfigurationBase):
         description="Quota handlers configuration",
     )
 
+    @model_validator(mode="after")
+    def validate_mcp_auth_headers(self) -> Self:
+        """
+        Validate MCP server authorization headers against authentication module.
+
+        Removes any MCP server with authorization_headers="kubernetes" when the
+        authentication module is not "k8s". This prevents sending wrong credential
+        types to MCP servers.
+
+        Returns:
+            Self: The model instance after validation.
+        """
+        # Get authentication module value (pyright: ignore attribute access on Field)
+        auth_module = getattr(self.authentication, "module", None)
+
+        # Filter out misconfigured MCP servers
+        valid_mcp_servers = []
+        for mcp_server in self.mcp_servers:
+            is_valid = True
+            if mcp_server.authorization_headers:
+                for value in mcp_server.authorization_headers.values():
+                    if value.strip() == "kubernetes" and auth_module != "k8s":
+                        logger.warning(
+                            "Removing MCP server '%s': has authorization_headers with "
+                            "value 'kubernetes' but authentication module is '%s' "
+                            "(not 'k8s'). Either change authentication.module to 'k8s' "
+                            "or update the MCP server's authorization_headers to use a "
+                            "file path or 'client'.",
+                            mcp_server.name,
+                            auth_module,
+                        )
+                        is_valid = False
+                        break
+            if is_valid:
+                valid_mcp_servers.append(mcp_server)
+
+        self.mcp_servers = valid_mcp_servers
+        return self
+
     def dump(self, filename: str | Path = "configuration.json") -> None:
         """
         Write the current Configuration model to a JSON file.

tests/unit/app/endpoints/test_query_v2.py

@@ -196,22 +196,6 @@ def test_get_mcp_tools_skips_server_with_missing_auth() -> None:
     # All servers should be skipped
     assert len(tools) == 0
 
-    # With token but no mcp_headers
-    tools = get_mcp_tools(servers, token="k8s-token", mcp_headers=None)
-    # First server should work, others skipped
-    assert len(tools) == 1
-    assert tools[0]["server_label"] == "missing-k8s-auth"
-
-    # With mcp_headers but missing one for partial-auth
-    mcp_headers = {
-        "missing-client-auth": {"X-Token": "client-token"},
-        "partial-auth": {"X-Custom": "client-custom"},  # Missing Authorization
-    }
-    tools = get_mcp_tools(servers, token=None, mcp_headers=mcp_headers)
-    # Only missing-client-auth should work
-    assert len(tools) == 1
-    assert tools[0]["server_label"] == "missing-client-auth"
-
 
 def test_get_mcp_tools_includes_server_without_auth() -> None:
     """Test that servers without auth config are always included."""

tests/unit/app/endpoints/test_streaming_query_v2.py

@@ -67,6 +67,7 @@ async def test_retrieve_response_builds_rag_and_mcp_tools(
         ),
     ]
     mocker.patch("app.endpoints.streaming_query_v2.configuration", mock_cfg)
+    mocker.patch("app.endpoints.query_v2.configuration", mock_cfg)
 
     qr = QueryRequest(query="hello")
     await retrieve_response(mock_client, "model-z", qr, token="tok")

tests/unit/models/config/test_model_context_protocol_server.py

@@ -9,11 +9,12 @@
 from pydantic import ValidationError
 
 from models.config import (  # type: ignore[import-not-found]
-    ModelContextProtocolServer,
-    LlamaStackConfiguration,
-    UserDataCollection,
+    AuthenticationConfiguration,
     Configuration,
+    LlamaStackConfiguration,
+    ModelContextProtocolServer,
     ServiceConfiguration,
+    UserDataCollection,
 )
 
 
@@ -230,6 +231,7 @@ def test_configuration_mcp_servers_with_mixed_auth_headers(tmp_path: Path) -> No
             feedback_enabled=False, feedback_storage=None
         ),
         mcp_servers=mcp_servers,
+        authentication=AuthenticationConfiguration(module="k8s"),
         customization=None,
     )
     assert cfg is not None